A group of security researchers from Ensilo discovered a new malware evasion technique, dubbed Process Doppelgänging, that could be implemented by vxers to bypass most antivirus solutions and security software.
The technique is a fileless code injection method that exploits a built-in Windows function and an undocumented implementation of the Windows process loader.
The Process Doppelgänging technique works on almost any Windows version starting from Windows Vista to the latest version of Windows 10.
Process Doppelgänging presents similarities to another technique dubbed Process Hollowing, but it relies upon the Windows mechanism of NTFS Transactions.
The Process Hollowing could be used by attackers to replace the memory of a legitimate process with a malicious code, in this way security software are tricked into believing that the legitimate process is running.
Fortunately, all modern security software are able to detect Process Hollowing attacks.The Process Doppelgänging leverages the Windows NTFS Transactions and an outdated implementation of Windows process loader originally designed for Windows XP to carry on the attack.
NTFS Transaction is a Windows feature that was implemented to integrate transactions into the NTFS file system, allowing it easier for application developers to handle errors and preserve data integrity, and of course to manage files and directories.
“The goal of the technique is to allow a malware to run arbitrary code (including code that is known to be malicious) in the context of a legitimate process on the target machine,” said the security duo.
“Very similar to process hollowing but with a novel twist. The challenge is doing it without using suspicious process and memory operations such as SuspendProcess, NtUnmapViewOfSection.”
“In order to achieve this goal we leverage NTFS transactions. We overwrite a legitimate file in the context of a transaction. We then create a section from the modified file (in the context of the transaction) and create a process out of it. It appears that scanning the file while it’s in transaction is not possible by the vendors we checked so far (some even hang) and since we rollback the transaction, our activity leaves no trace behind.”
According to the tests conducted by the researchers, which used Process Doppelgänging to run the well-known password-stealing utility Mimikatz without being detected, the technique evades detection from most antiviruses as reported in the following table:
Liberman explained that the Process Doppelgänging works on even the latest version of Windows 10, except Windows 10 Redstone and Fall Creators Update, both released earlier this year. On these later releases, the attack triggers a BSOD (blue screen of death) condition.
Fortunately, it is technically challenging to power Process Doppelgänging attacks due to the need to know “a lot of undocumented details on process creation.”
The bad news is that the attack “cannot be patched since it exploits fundamental features and the core design of the process loading mechanism in Windows.”
(Security Affairs – Process Doppelgänging, hacking)
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.